yubikey-personalization-gui icon indicating copy to clipboard operation
yubikey-personalization-gui copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Slot configuration protection lock itself when updating protection

Open u1735067 opened this issue 7 years ago • 2 comments

When updating configuration protection, you can end up with a configuration locked while this is not what you configured. Tested on Yubikey 4 Nano v4.3.3

Repro steps

Go to settings > update settings (default untouched settings) > select a slot > select the right protection status (protected + the correct access code if protected , unprotected if unprotected) + keep it that way > click update. As expected, it will work, the slot will keep the protection settings. Now retry 2 other times.

Result

After 3 total "keep it that way" with the correct access code, the slot configuration protection will be locked, the tool return the same error as when you put the wrong access code. The only way to put the configuration protection in a working state is to clear the slot, using the access code you set when you set one.

So, by doing an authorized action, with the right access code, the slot configuration protection lock itself.

Also, if you have only 1 slot, or if you lock both slots by doing this, the Yubikey tools are then unable to read the serial number of the key until you reset + reinitialize at least 1 slot. You can still use the slots though, they are kept in the same configuration/key as before the lock.

It seems to act the same as unchecking "Enable updating of Yubikey configuration", except that ability to read serial number is disabled.

Semi-fix

Reset + reinitialize the locked slot(s) -- slot conf is lost

Side issue

If it happen on a slot you configured, you can still reset it. But if it happen on the Yubikey OTP slot, or a slot you have no control on, the issue can be a bit more problematic. As far as I could test, switching slots only works with unprotected slots (or set with the same access code ?), but as one of the slot is locked, you cannot then swap the slots until you reset the locked slot. And in the case of Yubico OTP (and the VIP thing ?), this would make you lose one feature (or official status) of the key.

I don't think this is working as expected ?

u1735067 avatar Dec 09 '16 00:12 u1735067